ad-domain-attack

This artifact is an offensive AD reconnaissance and Kerberos/SMB/LDAP workflow guide rather than a software dependency. While there is no evidence of embedded malware/obfuscation within the fragment itself (no library code to hide behavior), it provides step-by-step instructions that can enable unauthorized network scanning, Kerberos ticket/ccache handling, and authenticated remote execution/secrets dumping. Treat it as high-misuse operational guidance rather than benign software logic.

This fragment is not benign software code; it is an attacker-oriented Active Directory exploitation and persistence playbook. It provides highly actionable steps to obtain domain-wide credentials, forge Kerberos tickets, abuse delegation/ACLs, compromise AD CS/certificates, modify AD attributes for RBCD/Shadow Credentials, and use GPO for remote command execution and persistence. If present inside a software package as executable logic (not just documentation), it would represent a severe supply-chain security risk. Since no real implementation code is provided here, malware/behavior cannot be confirmed at the code level, but misuse potential is very high.

This fragment is unequivocally malicious content: an AD/Windows credential attack and credential theft playbook. It directly enables password spraying, Kerberos roasting, LSASS/SAM/minidump and DPAPI credential harvesting, GPP secret decryption, offline cracking, and lateral movement/remote execution using stolen credentials/hashes. If published or included as part of any software artifact, the security risk is extreme and the malware likelihood is effectively certain.

This fragment is an offensive, abuse-ready Active Directory enumeration and credential-harvesting playbook. It explicitly supports validating credentials across multiple protocols, crawling SYSVOL/shared content, decrypting MS14-025 GPP cpassword values into plaintext credentials using a hardcoded key/IV, and using BloodHound/LDAP queries to identify high-impact privilege-escalation paths. If present in a software supply chain as a “module” or dependency content, it should be treated as high-risk malicious/dual-use material intended to facilitate unauthorized access.

该技能不是普通管理或排障指南，而是面向 AI 代理的 Active Directory 攻击手册，覆盖侦察、凭据攻击、权限提升、域控接管与持久化。其能力与“攻击”描述一致，但本身属于高风险 offensive security skill，应判定为高危而非良性技能。

The provided fragment is an explicit offensive exploitation and credential theft playbook for ZeroLogon (CVE-2020-1472). It instructs scanning for vulnerable Netlogon behavior, using NTLM relay mechanisms to trigger DCSync for domain-wide hash extraction, and optionally performing a destructive DC machine account password nulling followed by restoration. No benign or defensive software logic is present in this content; it is materially aligned with high-impact AD compromise.

High-confidence malicious instruction content: this JSON is a ready-made blueprint for conducting Active Directory attacks (Kerberoasting with impacket + offline hash cracking, lockout-aware password-spray preparation via net accounts policy fields, and BloodHound-style remote enumeration via bloodhound-python). While it contains no executable code in this fragment, it meaningfully facilitates wrongdoing and includes an embedded plaintext credential-like string. No defensive or benign functionality is present.